One of the aspects that has always distinguished Validated ID in the sector of providing trust services has been our vocation towards maximum legal certainty, which is why we have designed a robust service that guarantees not only legal compliance but also, submitting to technical standards that allow our clients to rest with absolute confidence that they are protected now and in the future.
This legal security of our services is reflected at the organizational level in the commitment, as a trusted service provider, to the highest standards of legal technical security and quality, as witnessed by our certifications such as qTSP, ISO 9001, ISO 27001, ENS or HDS, among others and in strict compliance with current regulations in all its aspects, whether the specific regulations that regulate the provision of these trust services, such as those related to privacy and protection of personal data or even those purely commercial aspects.
Validated ID maintains appropriate technical and organizational measures in accordance with Article 32, GDPR, to ensure an appropriate level of protection in relation to the risk of processing. The following technical and organizational measures have currently been implemented at Validated ID. These measures are monitored and adapted to cutting-edge developments on a continuous basis.
The processing of personal data of the Data Controller will be carried out following in all cases the regulations in force on the matter, applying the corresponding technical and organizational measures according to the type of data processed.
In accordance with the above, theData Processor guarantees that it has implemented all the necessary measures for the processing of personal data owned by the Data Controller, in accordance with the measures described in the table below.
In any case, the File Controller may, at any time and without the need for any justification, request any information related to the security measures implemented, including certifications, adherence to codes of conduct, policies or any other type of internal documents of the File Manager.of the Treatment that allow the Controller to be certain that the obligations of the RGPD and the contract signed between the parties are respected.
Measurement description
Description of its implementation by the Data Processor
All business operations are aimed at secure data processing, in compliance with legal provisions within the European regulatory environment and with the recommendations of data protection supervisory authorities.
Data storage at Validated ID offices is deliberately and completely avoided. All backups are stored in specialized CPDs under high availability standards.
Validated ID offices have access possibilities to the data groups necessary for the implementation of product-related tasks in the relevant departments. A comprehensive concept of roles and rights has been implemented to always align access rights with the principle of the least privileged user account. The concept of data protection in the offices and with respect to clients of employees in the respective departments is continuous, to prevent all unauthorized access to databases andIT infrastructure.
These measures are described ingreater detail below:
1. Encryption measures
Measures or processes through which clearly readable text or information becomes illegible, for example by becoming not easily interpretable or a sequence of characters (encrypted text) with the help of encryption procedures (cipher systems).
2. Measures to ensure confidentiality
Measures that deny physical access to computer systems and data processing systems used to process personal data to unauthorized persons, as well as to confidential files and data carriers:
3. Measures to ensure integrity
Measures to ensure that personal data cannot be read, copied, modified or deleted by unauthorized persons when transferred electronically or when transported or stored on data carriers, and measures to examine and establish the recipients to whom personal data should be transmitted.
4. Measures toensure availability and resilience
The data is located in CPD owned by Azure, with high availability and ease of movement between centers so that if one is affected, another can occupy its workload.
5. Digital signatures
Format. The digital signatures applied are in PADES B-LT format. LT stands for "Long Term." This means that the signature can be validated after the certificate expires because the certificate revocation information is embedded, as well as timestamps.
Algorithms. Digital signatures are made using:
Certificates. An OTC (One time certificate) is issued for each biometric signature performed.
By default, VIDsigner uses Firma Profesional as the TSP for OTC issuance, but can be configured to use OTC from other TSPs.
Duration. Single-use certificates are issued with a duration of 24 hours. This ensures that it cannot be used for another purpose.
Since the signature format is PADESB-LT, the signature remains valid after the certificate expiration date.
Time stamps. PADES B-LT contain a timestamp to ensure the time at which the signature was made and that the certificate has not been revoked at that time.
The RFC-3161 (TimeStamp Protocol)standard is used to request and create time stamps.
By default, VIDsigner uses its own stamps and issues them as QTSP, although it can also be configured to useTimeStamps from other TSPs.
The regulation of the relationship between the controller and the processor must be established by means of a data processing contract, the content of which is regulated in art. 28 RGPD. The contract must be in writing, including in electronic form. In this sense, the relationship between Validated ID-Partner-Client can give rise to multiple casuistry, which would require the drafting of custom-made assignment contracts, although Validated ID incorporates as an annex to its Terms andConditions of Service a generic standard assignment contract that allows the legal protection of the parties.
Establishes the conditions under which Validated ID will process personal data, for which the end client will be the Controller and in which Validated ID will be the Processor or Subprocessor, depending on the case.
In general, personal data will not be communicated to third parties, except under legal obligation, which may include communications to Public Entities, Tax Agency, Judges and Courts.
In relation to the data collected by VALIDATED ID as Data Controller, they will be stored on servers owned by the Data Controller in the territory of the European Union. They will not be assigned or transferred to third parties, nor will transfers be made to third countries, except in the cases detailed in section 1) and in a generic manner:
Public Administrations. Public Entities, Tax Agency, Judges and Courts and, in general, competent authorities, when VALIDATED ID SL has the legal obligation to provide them.
External service providers. For the correct provision of the service, VALIDATED ID obtains the services of third parties that must access personal data under our responsibility. This is a processing order in which the aforementioned data are processed in the name and on behalf of VALIDATED ID Las a consequence of its provision of services, only contracting services from companies that guarantee compliance with data protection regulations.
VALIDATED ID SL follows strict criteria for selecting service providers to comply with its data protection obligations and undertakes to sign the corresponding data processing contract with the service providers through which it will impose, among others, the following obligations: apply appropriate technical and organizational measures; process personal data for the agreed purposes and taking into account only the documented instructions of VALIDATED ID SL; and delete or return the data to VALIDATED ID SL once the service has been provided.
VALIDATED ID informs that in accordance with what was indicated above, the following entities will be Subprocessors:
VALIDATED ID will not sell, trade or otherwise transfer the personal data collected to third parties, nor will it make any international transfer of data outside the EU.